October 22, 2011 // 11:55 pm - Following up on the initial PS3 JailBreak 2 news comes various PS3 CFW JailBreak 2 and JB2 Updater details today including the examination of an EBOOT.BIN from the Driver: San Francisco Blu-ray Disc in comparison to one from an official PS3 Game (BLES00891) Disc with developments on reverse-engineering the PS3 JB2 file dumps and more below.

To begin, whyudie states the following on the PS3 CFW JailBreak 2 and JB2 Updater for PlayStation 3: I just wanted to share this CFW. This CFW is intended more specifically for Jailbreak 2 dongle only. Most likely will not run well without that dongle. Perhaps some developers out there could investigate this CFW, and develop it even better.

If anyone out there want to install this CFW on your PS3. Do it at your own risk!!

JailBreak 2 Dongle Features

Can play backup games that require firmware 3.60 + (Direct boot just like the original games)

Only burned BD Disc format with some patches will work. For now, there's no info how to make a backup iso to work with this CFW.

Can play backup games from the HDD. PS3 games with FW 3.55 or lower (via internal or external hdd)

Only works on the PS3 with official/custom firmware 3.55, not the downgrade PS3.

From my local game store. I live in Indonesia. And I bought the dongle. And get the bonus cd and the CFW files is from that cd. And that CFW must be installed first on PS3, and upgrade the dongle with that pkg files.

Below is a preliminary synopsis from moogie via Twitter and ps3devwiki.com/index.php?title=PS3JB2_Reverse_Engineering and ps3devwiki.com/index.php?title=Talk:Keys#sv_iso_spu_module_1.02-3.55:

JB2's dongle updater pkg, its EBOOT.BIN is just an FSELF (fake signed), the Driver: SF eboot fix is also an FSELF, FSELF's are mean't for debug consoles, easier to fself your game, then to actually sign it, you can patch retail FW to run FSELF's, either through the fw, or you can modify PL3, or even, resign the EBOOT.BIN, its nothing special, from the looks of it, they don't have any keys, just debug EBOOT.BIN's.

You don't need that dongle either, just resign the EBOOT.BIN or patch the FW to run FSELF's, their MFW could have these patches, or maybe, their dongle deliver's the patches. I do not know for sure, maybe their dongle does something else entirely, but I know its an FSELF, and you can make that run, without their dongle.

Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it. Contentdisc's contain fself'ed eboot.bin's.

Those JB2 eboot.bin stuff, actually isn't debug fself's, but readself says it is its their DRM. Can't be decrypted without their stuff. They have their own keys, which they are signing the EBOOT.BIN's with, I think they are debug eboot's resigned with their stuff.

That's the algo for masterdiscs, ps3gen.dll has the static keys for masterdiscs. You can also get it from sv_iso the sdk tool that generates masterdisc images.

Then you take the decrypted fself and resign it for 3.55 with makeself then swap eboot. I think it should be somewhere in the PS3_Generator_Tools-312.zip in the 3.60 SDK but I'm not finding it, but that's where the master disc stuff is.

Finally, upon examination several users including DanyL, TheLostDeathKnight and bubbleboy have stated that the JB2 doesn't use a new PlayStation 3 exploit nor contain PS3 3.6+ keys, and that the dongle is only used as identification for activating the patch.

For those curious, patching the appldr keys has been done but not made public back with the PS3 3.56 keys so it isn't unfamiliar to most PlayStation 3 developers but unfortunately it is patchable by Sony. A brief outline of the process involved is below, as follows:

Obtain PS3 Debug EBOOT file from Sony's Developer Network via Debug console by one of the following methods:

Boot up your PS3 to the XMB, make sure in debug settings that NP environment is set to “sp-int” or “prod-qa”, sign into PSN (with sp-int or prod-qa credentials, you can use the quick sign-up), and launch the game. If your in luck, it will say an update is available – download it!

To get the URL you have a few options. You could either sniff out the connection with something like Wireshark - that takes a bit more setup. Other times the URL is actually passed right to dtccons - so make sure you have the debugging windows open. Or, you could use any number of the PS3 Proxy applications to grab the link.

Those who know their PS3 Game's Title ID and are seeking PS3 Game Update Packages can now use this simple guide to grab them while they last.

Patch Retail PS3 Firmware to run a Debug EBOOT file

Dump and burn the PS3 3.60+ games to BD-DVD with the included Debug EBOOT file

Add the DRM to the PS3 MFW / CFW that JB2 uses and validate it via the dongle

The above process will likely continue to work until Sony locks down the PS3 Debug EBOOT files.

PS3 JB2 Keys

The encryption keys for PS3 Debug Discs utilized by the PS3 JB2 method can be found below.

i never tested my dongle updater before release, anyone else tried it? cause puss in boots seems to be the only one game that works it just happened to be the one that i tried? maybe i should start playing the lottery? lol. maybe it has some significance in reverse engineering the dongle though?

Wololo's thoughts are ridiculously nonsense. Who cares if TB team will change encryption scheme. They still want us to believe if someone hacks TB, there will be no more new games. This is the same logic if we share PS3 exploits they can patch it. Who cares if Sony of TB patch their exploits. Of caurse they'll patch it, it is their job to protect their property. But if you call yourself a scene developer you can always comeup wit a new solution. This is what makes a scene The Scene.

These "It will lead to piracy" and "They can patch it" execuses are just a cover for their fear of Sony.

following up on shad__'s excellent work on the modified true blue eboot, i repacked it as a installable pkg and also modified the text so it now reads remove the dongle and press x to return to the xmb. download link here: http://www.putlocker.com/file/6B780406C00FD776

Below is an update from wololo (via wololo.net/2012/06/06/ps3-more-dongles-info-decrypted-by-oct0xor/) dubbed PS3 - More dongles info decrypted by oct0xor (covered a few posts above), as follows:

PS3 hacker oct0xor, who was already behind the base work that led to initial reverse engineering of the True Blue dongle, just twitted that he can decrypt True Blue’s stage2, as well as critical information from other clone dongles.

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC.

You really can call me “DongleBreaker” now Thanks to flat_z who was with me all along.

As I said earlier, the people behind True Blue are not amateurs in the hacking scene and could definitely leverage that type of information. Hackers like oct0xor are not fighting against “we don’t know about it until it’s too late” Sony, but against people who regularly check all scene websites, and take action.

I have no doubt that the next True Blue firmwares will change their encryption scheme, and if not, another “magical” dongle will pop up in the months to come, from another random company (the same people who made true blue, of course), with a completely different security system.

That is, unless PS3 hackers completely reverse engineer the system behind the True Blue dongle, in a way that Sony can finally understand how True Blue are able to patch 3.6+ games so easily, and hoping that future games will be protected against the True Blue patches. That would calm down piracy on the PS3, and people who don’t get it will claim that this could kill the PS3 scene.

This is good news. But at the same time ANOTHER frikking dongle is down right shameful. I mean whats the frikking point. arrgghhhhhh I know make more money by pirating from pirates. knowing still doesn't help.

Thanks to oct0xor (twitter.com/#!/oct0xor) we could get our hands on the decrypted TB payload (stage 2). Of course the first thing to do is to fire it up in IDA, our favourite tool of the trade. The entry code of the payload looks like this:

In the first loop it will relocate itself using 0x1337C0DE as an identifier for the upper 32 bits and rewrite that to the actual base. The disassembly above was already loaded using 0x1337C0DE00000000 as base. While scrolling through the data section at the end of the payload one quickly figures out that the RTOC is 0x1337C0DE00017E40.

As I was analyzing the code I found a sub that was basically just a really big switch with random looking case values. Once I reversed the sub at 0x1337C0DE00002578 and some of the following ones and analyzed their usage in the switch sub, I knew that I was looking at a fricking virtual machine.

Paranoid TB developers even used XOR-tables to obfuscate the VM instructions and data. The virtual machine is mostly stack based but the instructions let you work using registers too. The next thing to do is to reverse all the instructions and write a disassembler and emulator. Here (pastie.org/4015202) is some code to unscramble the embeded vm binary for further investigation. I’m going to write more about this topic in the future.

[shad__] if it can help, you can play tb eboot without tb plugged in. Just, patch sys_sm_shutdown call in TB update pkg and unplugg Tb dongle then press x to exit.It will exit without reset lv1 and lv2.
[shad__] POC: http://www.mediafire.com/?z42clbkhjju1khy
[shad__] Now you can share your dongle with your friends
[shad__] was [email protected] * New Now Know How

Also this weekend Team E3DIY claim that they have also managed to run all PlayStation 3 games on 3.55 PS3 CFW (similar to TB/JB2) but they will likely peddle another dongle to do it unfortunately instead of a free PS3 scene solution.

Finally from oct0xor (via twitter.com/#!/oct0xor):

ps3usercheat skip r4=%x,r5=%x main_EBOOT.BIN main_vsh.self

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC. pic.twitter.com/b2awqYLv

You really can call me "DongleBreaker" now Thanks to flat_z who was with me all along.

Below is an update on the True Blue PS3 JB2 Dongle new security packaging, as follows:

30 - 5 – 2012

New packaging for True Blue incorporating security measures and an updated picture identification reference for clones

Due to the recent emergence of clones we are introducing a new packaging system and a security sticker on the dongle itself to help ensure customers receive original True Blue dongles.

Firstly, a new blister pack with a label over the blister will be introduced, as shown below. This provides several measures for the user to identify if the True Blue device received is likely to be original.

Note the unique security patterns in silver which are difficult to counterfeit, due to the colour variations on the background colours, materials used and complexity of the pattern itself. If the label appears to be stretched or appears to have been used before, then careful attention should be paid to the security sticker on the dongle itself.

The security sticker adhered to the dongle itself (shown below), partially covering the cap will provide the user with an indication of whether or not the dongle has been tampered with before delivery. Therefore, if the portion of the sticker covering the dongle cap has been broken, then it is possible that the dongle may have been tampered with. If this is the case, please use the TrueBlue 2.7 firmware as a means to check the authenticity of the dongle.

If the word clone appears in the PS3 XMB where the TrueBlue 2.7 version number is stated, then you should contact your reseller for assistance. Security stickers are designed with a number of security considerations in mind and are very difficult to reproduce exactly. This will aid retailers and end users in determining whether the product received is an original.

Some original True Blue dongles are in the supply chain yet to be sold, which do not have the new packaging. If you receive a True Blue dongle without the new packaging, then simply use the True Blue 2.7 firmware to identify whether or not it is an original. Details can be found on the information page and inside the 2.7 firmware download package on the downloads page.

Finally, we are updating the picture references for users to identify whether their PCB is an original True Blue or a CLONE. We have released several revisions of the True Blue PCB’s which are shown below. The recent CLONE posing as True Blue in a similar casing is also shown below and referenced as CLONE. If you have received one of these clones instead of the original True Blue you ordered, then you should contact the retailer who you purchased it from for a refund.